Merge pull request #33701 from MicrosoftDocs/main

4/2/2025 PM Publish

Author: Albertyang0

azure-sql/database/auditing-overview.md

@@ -51,8 +51,8 @@ You can use SQL Database auditing to:
   - One of the primary changes involves a folder structure change for audit logs stored in storage account containers. Previously, server audit logs were written to separate folders; one for each database, with the database name serving as the folder name. With the new update, all server audit logs will be consolidated into a single folder labeled `master`. This behavior is the same as Azure SQL Managed Instance and SQL Server.
 - Folder structure change for read-only replicas:
   - Read-only database replicas previously had their logs stored in a read-only folder. Those logs will now be written into the `master` folder. You can retrieve these logs by filtering on the new column `is_secondary_replica_true`.
-- Permissions required to view Audit logs :
-  - **Control Server** permission is required to view audit logs stored in the `master` folder
+- Permissions required to view Audit logs:
+  - `CONTROL DATABASE` permission on the `master` database is required to view audit logs stored in the `master` folder
 
 ## Auditing limitations
 

docs/relational-databases/replication/security/replication-security-best-practices.md

@@ -59,8 +59,34 @@ helpviewer_keywords:
 
     -   Ensure that a given agent (for example the Distribution Agent for a subscription) makes connections under the same account at each computer.  
 
-    -   In situations that require [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] Authentication, access to UNC snapshot shares is often not available (for example access might be blocked by a firewall). In this case, you can transfer the snapshot to Subscribers through file transfer protocol (FTP). For more information, see [Transfer Snapshots Through FTP](../../../relational-databases/replication//publish/deliver-a-snapshot-through-ftp.md).  
-  
+    -   In situations that require [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] Authentication, access to UNC snapshot shares is often not available (for example access might be blocked by a firewall). In this case, you can transfer the snapshot to Subscribers through file transfer protocol (FTP). For more information, see [Transfer Snapshots Through FTP](../../../relational-databases/replication//publish/deliver-a-snapshot-through-ftp.md).
+
+## Improve security posture with database master key
+
+When using SQL Server authentication for replication, secrets that you provide when you configure replication are stored within SQL Server — specifically, in the distribution database and, for pull subscriptions, also in the subscriber database. 
+
+To enhance the security posture for replication, **before you *start* to configure replication**: 
+
+- Create a [database master key (DMK)](../../../t-sql/statements/create-master-key-transact-sql.md) in the distribution database of the server that hosts the Distributor. 
+- For *pull subscriptions*, also create a DMK in the subscriber database. 
+
+If replication was created before the DMK, first create the DMK, and then update replication secrets by updating passwords for replication jobs. You can update the job with the same password, or you can use a new password. 
+
+To update replication secrets, use one of the following relevant stored procedures to update passwords for replication jobs:
+
+- [sp_changelogreader_agent](../../system-stored-procedures/sp-changelogreader-agent-transact-sql.md)
+- [sp_changesubscriber](../../system-stored-procedures/sp-changesubscriber-transact-sql.md)
+- [sp_changedistpublisher](../../system-stored-procedures/sp-changedistpublisher-transact-sql.md)
+- [sp_changepublication_snapshot](../../system-stored-procedures/sp-changepublication-snapshot-transact-sql.md)
+
+
+Configuring transactional replication without a DMK can result in SQL Server warning `14130` on: 
+
+- Azure SQL Managed Instance
+- SQL Server 2022 [CU18](/troubleshoot/sql/releases/sqlserver-2022/cumulativeupdate18) and later
+- SQL Server 2019 [CU31](/troubleshoot/sql/releases/sqlserver-2019/cumulativeupdate31) and later
+
+
 ## Related content
 
 - [Enable Encrypted Connections to the Database Engine (SQL Server Configuration Manager)](../../../database-engine/configure-windows/configure-sql-server-encryption.md)